This is some older work, from as old as 2006 or so. This isn’t something you’d want to use in a project today, but in 2006 – a year before Palo Alto Networks released their first firewall – we thought it was pretty exciting that we’d built a general purpose tool to identify protocols regardless of port number.
One of the first tasks that I took on as an undergraduate researcher in the Enterprise Security Group at the University of Tulsa (TU), this idea for a signature-based engine for protocol identification started as a side project by Collin McMillan. I took ownership after he left TU and rewrote the engine in Python. The result is a library called pysand appropriate in part for backing a passive network monitor capable of identifying protocols regardless of port number using deep packet inspection.
We demonstrated a version of the tool at the FAA’s Computer Security Incident Response Center to great success. I wrote about it in my first full-length peer-reviewed publication (PDF), and later, with Cody Pollet, added a multi-touch interface for visualizing network streams; we presented this work in a talk at DEFCON 17 (link) and in the poster session at USENIX Security.
This work is based upon collaboration with:
- Collin McMillan
- Kevin Clark
- Christopher Johnson
- Dr. John Hale
- Cody Pollet
- Matt Young
Source code repository
- Source code repository (hosted by Bitbucket)